✔ May 2019 scan - results
Completed by Ryan K.
- Assigned to
-
Harsh P.
Jitesh D.
Morgan M.
- Notes
Please find attached the most recent scan. I suggest we delete or mark complete previous to-dos within this list as this scan will now supersede those issues.
Once you're comfortable with the results I can create separate to-dos for each vulnerability.
Thanks!
Ryan
I've completed all the old to-do.
Thanks,
Morgan
I have check ZAP Scanning Report and study each section. Please find attachment sheet of describe planning and resolution of both current and new ISLG of these security scan result.
Thanks,
Jitesh
Thanks for the report above. Just to clarify a few items, the report below states "Max Overcome" and "Overcome" in the ISLG Rebuild column. Could you clarify what is meant by these two terms? Does "Overcome" mean the issue is already resolved in the new application, and "Max Overcome" mean the team is working on resolving the issue? Please clarify.
Thanks,
Morgan
Thanks very much for going through the document. I have the same questions as
Thanks!
Ryan
Overcome means "succeed in controlling"
Max Overcome means "Max try to controlling"
"Overcome" means it will be resolve in ISLGRebuild and "Max Overcome" means it will max points will be resolve in ISLGRebuild, In new ISLG we are focusing those security issues and max try to overcome.
Does "Overcome" mean the issue is already resolved in the new application, and "Max Overcome" mean the team is working on resolving the issue?
Yes, Morgan we are working in such manor to not facing these security attack in new ISLG.
Does this mean resolving these problems is going to take a significant amount of work to resolve? Also, will resolving these issues have impacts on the performance/functionality of the application?
Morgan, in current ISLG there are need lots of improvement and changes of work flow so it seems like redesign and development to overcome those sql injection in current ISLG. my suggesion is not do changes in current ISLG to resolving those points it will impact major functionality as well.
we will resolve and planning in new ISLG to not reproduce SQL Injection attack.
Let me know your feedback.
Thanks,
Jitesh
Thank you for the clarification. Ok. I suppose if fixing the issues in the current application will require a significant amount of work, and may have affects on functionality, we'll hold off. However, please ensure all these issues are resolved in the new application.
We'll keep this report handy for reference purposes, and perform another scan as appropriate before launch.
Thanks,
Morgan
A reminder to run the security scan on the non-member pages of ISLG.
Thanks,
Morgan
Please find attached the security scan focused on the non-member side of the site.
Thanks!
Ryan
Morgan
Thanks,
Jitesh
Morgan
I have study security scan report on the non-member pages of ISLG and we are working on it. first we are taking Medium and low category and it will be done in 2-3 days.
High category will take it after complete medium and low Risk Level.
Thanks,
Jitesh
Let us know as each issue is resolved.
Morgan
Could you please provide an update on getting the issues in this to-do resolved? Please provide an itemized update on the high and medium risks alerts in the following report:
Thanks,
Morgan
We have resolved risk level Low category and looking into medium, High risk level impact major changes of development due to parameter passed in URL and some implementation of development structure so we will reduce High category in new approach in ISLG Rebuid.
Thanks,
Jitesh
As we've discussed above, we can leave the security issues concerning the members pages unresolved until the rebuild is complete, but all the issues for the public non-member pages, which are contained in the report above need to be resolved immediately. We can't continue to operate public web pages that could be vulnerable to a high risk attack. How do you suggest we address the issue?
Note that the public non-member pages were only setup last year, so I would assume that we could deal with these more easily than the member pages. If not, we may need to consider migrating all the public pages to a more secure CMS environment.
Morgan
To sum up what we discussed earlier today, here is the plan for next steps on this issue:
Morgan
Following report showing how we will addressed issue raised in the recent security scanning report.
Yes Morgan, You can either run scan on www.islg or set security certificate on dev.islg. it will be useful to avoid reason which we know of site vulnerability.
Thanks,
Jitesh
I'll reach out to Carbon60 to see if they support Let's Encrypt certificates that we can get installed on dev.islg.
Ryan
Thanks,
Morgan
Have we got a response from Carbon60 on getting the security certificates for dev.islg?
Thanks,
Morgan
Oddly nothing yet. I've followed up again.
Ryan
Please cc me on the email when you send it to Carbon60, so that I can follow-up if necessary.
Morgan
They've responded with the following:
Thanks!
Ryan
I have study about Let' Encrypt Installation guideline on website. its seems like there is many dependency needed of network team when we start installation on server. also we have not done same excise previously so it is better to do by them. it might be wrong effect on www.islg live site as both website configured on same server.
Thanks,
Jitesh
Ryan
Morgan
Thanks,
Morgan
Thanks,
Morgan
Sorry about that - I had meant to send it yesterday. I've just forwarded you the email thread.
Thanks!
Ryan
Morgan
Could you please reactivate the automated emails for dev.islg (I believe they are still disabled to run scans above). We need to create accounts on the development environment, and we can't do so until these automated emails are restored.
Thanks,
Morgan
We have reactivated the automated emails on dev.islg.
Morgan
Could you please suppress the emails again on dev.islg? Now that the cert is installed on dev.islg I will start the security scan of the non-member pages on Monday morning.
Thanks!
Ryan
We have suppressed the emails on dev.islg.
Ryan